Tag Archives: django

Security with the Django Web Framework

Lately,
I was involved with Python Django web framework 
(The Web framework for perfectionists with deadlines) and was shocked
that still, in 2013, the official documentation
(https://docs.djangoproject.com/en/dev/ref/settings/) and the
“experts” on stackoverflow
(http://stackoverflow.com/questions/3540339/is-it-okay-that-database-credentials-are-stored-in-plain-text)
recommend storing database connection credentials in clear-text.

Python
has a keyring library (https://pypi.python.org/pypi/keyring) that provides an
easy way to access the system keyring service from python and can be used in an
application to safely store passwords.

To
install it on Ubuntu, make sure you have up-to-date pip Python package:

sudo apt-get install python-pip

sudo pip install pip -U

Then,
using pip, install the keyring library:

sudo pip install keyring

Finally,
update the settings.py with the following code to securely store authentication
credentials:

import
keyring

import
getpass

database_name
= ‘schema_name’

username
= ‘administrator’

password
= keyring.get_password(database_name, username)

while
password == None :

    password = getpass.getpass(database_name +
” Password:n”)

    # store the password

    keyring.set_password(database_name,
username, password)

DATABASES
= {

    ‘default’: {

        ‘ENGINE’: ‘django.db.backends.mysql’,

        ‘NAME’: database_name,

        # Or path to database file if using
sqlite3.

        ‘USER’: username,

        # Not used with sqlite3.

        ‘PASSWORD’: password,

        # Not used with sqlite3.

        ‘HOST’: db.inteliident.com’,

        # Set to empty string for localhost. Not
used with sqlite3.

        ‘PORT’: ‘3306’, # Set to empty string
for default. Not used with sqlite3.

    }

}

Simple,
isn’t it?

John
Markh